This Data Processing Addendum (“DPA”) forms part of the Tidyflow Terms of Service and applies where Tidyflow processes Personal Data on behalf of a customer.
1. Definitions
Customer means the entity or individual using the Tidyflow Service.
Tidyflow means the provider of the Service.
Personal Data means any information relating to an identified or identifiable individual that is processed through the Service.
Customer Data means all data submitted to or stored within the Service by Customer.
2. Roles of the Parties
For Personal Data included in Customer Data:
- Customer acts as the Data Controller (or equivalent under applicable law).
- Tidyflow acts as the Data Processor, processing Personal Data solely on behalf of Customer.
Tidyflow does not determine the purposes or means of processing Customer Data.
3. Scope of Processing
Tidyflow processes Personal Data only:
- To provide and maintain the Service
- To support Customer requests
- To ensure system security and reliability
- As otherwise instructed by Customer through use of the Service
The categories of Personal Data processed depend on what Customer chooses to upload and may include names, contact details, financial information, and documents.
Processing occurs primarily in the United States.
4. Confidentiality
Tidyflow ensures that personnel authorized to process Personal Data:
- Are bound by confidentiality obligations
- Receive appropriate security awareness training
- Have access limited to what is necessary to perform their role
5. Security Measures
Tidyflow implements appropriate technical and organizational measures designed to protect Personal Data, including:
- Encryption in transit (TLS)
- Encryption of sensitive data at rest
- Role-based access controls
- Multi-factor authentication support
- Logical tenant isolation between customer accounts
- Restricted internal access to production systems
- Regular system updates and security monitoring
Further details are available on the Tidyflow Security page.
6. Sub-processors
Tidyflow may engage trusted third-party service providers (“Sub-processors”) to support the Service.
Tidyflow:
- Enters into written agreements with Sub-processors
- Requires Sub-processors to implement appropriate data protection safeguards
- Remains responsible for Sub-processor compliance with this DPA
A current list of Sub-processors is available on the Tidyflow Sub-processors page.
7. International Transfers
Where Personal Data is transferred outside the jurisdiction of the Customer, Tidyflow implements appropriate safeguards consistent with applicable data protection laws.
Primary infrastructure and data storage are located in the United States.
8. Assistance with Data Subject Requests
To the extent required by applicable law, Tidyflow will provide reasonable assistance to Customer in responding to requests from individuals exercising their data protection rights.
9. Data Retention and Deletion
Customer Data is retained for the duration of the subscription.
Upon termination of the Service:
- Customer may request export of Customer Data within a reasonable period.
- Customer Data will be securely deleted in accordance with Tidyflow’s internal retention policies, unless retention is required by law.
10. Audits
Upon reasonable written request, Tidyflow may provide information necessary to demonstrate compliance with this DPA.
Tidyflow may satisfy audit requests through documentation, certifications, or written responses.
11. Governing Terms
This DPA is governed by the same law and jurisdiction as the Tidyflow Terms of Service.
In the event of conflict between this DPA and the Terms of Service, this DPA shall control with respect to data protection matters.